openSUSE Security Update: Security update for cobbler
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:0046-1
Rating: moderate
References: #1020376 #1029276 #1048183 #1074594 #1075014
#1081714 #1081739 #1090205 #1097733 #1101670
#1104189 #1104190 #1104287 #1105440 #1105442
#1113747 #1128754 #1128926 #1130658 #1134588
#1149075 #1151875 #1156574 #1159010 #1169207
#1169553 #1169779 #1170462 #660126 #671212
#672471 #682665 #687891 #695955 #714618 #722443
#722445 #757062 #763610 #783671 #790545 #796773
#811025 #812948 #842699 #846580 #869371 #884051
#924118 #952844 #956264 #966622 #966841 #967523
#968406 #969538 #969541 #973413 #973418 #976826
#980577 #984998 #986978 #988889
Cross-References: CVE-2011-4953 CVE-2012-2395 CVE-2017-1000469
CVE-2018-1000225 CVE-2018-1000226 CVE-2018-10931

Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________

An update that solves 6 vulnerabilities and has 58 fixes is
now available.

Description:

This update for cobbler fixes the following issues:

– Add cobbler-tests subpackage for unit testing for openSUSE/SLE
– Adds LoadModule definitions for openSUSE/SLE
– Switch to new refactored auth module.

– use systemctl to restart cobblerd on logfile rotation (boo#1169207)
Mainline logrotate conf file uses already /sbin/service instead of
outdated: /etc/init.d/cobblerd
– Fix cobbler sync for DHCP or DNS (boo#1169553) Fixed mainline by commit
2d6cfe42da
– Signatures file now uses “default_autoinstall” which fixes import
problem happening with some distributions (boo#1159010)

– Fix for kernel and initrd detection (boo#1159010)

– New:
* For the distro there is now a parameter remote_boot_initrd and
remote_boot_kernel ()
* For the profile there is now a parameter filename for DHCP. (#2280)
* Signatures for ESXi 6 and 7 (#2308)
* The hardlink command is now detected more dynamically and thus more
error resistant (#2297)
* HTTPBoot will now work in some cases out of the bug. (#2295)
* Additional DNS query for a case where the wrong record was queried in
the nsupdate system case (#2285)
– Changes:
* Enabled a lot of tests, removed some and implemented new. (#2202)
* Removed not used files from the codebase. (#2302)
* Exchanged mkisofs to xorrisofs. (#2296)
* Removed duplicate code. (#2224)
* Removed unreachable code. (#2223)
* Snippet creation and deletion now works again via xmlrpc. (#2244)
* Replace createrepo with createrepo_c. (#2266)
* Enable Kerberos through having a case sensitive users.conf. (#2272)
– Bugfixes:
* General various Bugfixes (#2331, )
* Makefile usage and commands. (#2344, #2304)
* Fix the dhcp template. (#2314)
* Creation of the management classes and gPXE. (#2310)
* Fix the scm_track module. (#2275, #2279)
* Fix passing the netdevice parameter correctly to the linuxrc. (#2263)
* powerstatus from cobbler now works thanks to a wrapper for ipmitool.
(#2267)
* In case the LDAP is used for auth, it now works with ADs. (#2274)
* Fix passthru authentication. (#2271)
– Other:
* Add Codecov. (#2229)
* Documentation updates. (#2333, #2326, #2305, #2249, #2268)
* Buildprocess:
* Recreation and cleanup of Grub2. (#2278)
* Fix small errors for openSUSE Leap. (#2233)
* Fix rpmlint errors. (#2237)
* Maximum compatibility for debbuild package creation. (#2255, #2292,
#2242, #2300)
* Fixes related to our CI Pipeline (#2254, #2269)
* Internal Code cleanup (#2273, #2270)
– Breaking Changes:
* Hash handling in users.digest file. (#2299)

– Updated to version 3.1.1.
* Introduce new packaging from upstream
* Changelog see below
– New:
* We are now having a cross-distro specfile which can be build in the
OBS (#2220) – before rewritten it was improved by #2144 & #2174
* Grub Submenu for net-booting machines (#2217)
* Building the Cent-OS RPMs in Docker (#2190 #2189)
* Reintroduced manpage build in setup.py (#2185)
* mgmt_parameters are now passed to the dhcp template (#2182)
* Using the standard Pyhton3 logger instead of a custom one (#2160 #2139
#2151)
* Script for converting the settings file from 3.0.0 to 3.0.1 (#2154)
* Docs now inside the repo instead of cobbler.github.io and improved
with sphinx (#2117)
– Changes:
* The default tftpboot directory is now /var/lib/tftpboot instead of
previously /srv/tftpboot (#2220)
* Distro signatures were adjusted where necessary (#2219 #2134)
* Removed requirements.txt and placed the requirements in setup.py
(#2204)
* Display only entries in grub which are from the same arch (#2191 #2216)
* Change the name of the cobbler manpage form cobbler-cli to cobbler
back and move it to section 8 (#2188 #2186)
– Bugfixes:
* Incremented Version to 3.1.1 from 3.0.1
* S390 Support was cleaned up (#2207 #2178)
* PowerPC Support was cleaned up (#2178)
* Added a missing import while importing a distro with cobbler import
(#2201)
* Fixed a case where a stacktrace would be produced so pass none instead
(#2203)
* Rename of suse_kopts_textmode_overwrite to kops_overwrite to utils
(#2143 #2200)
* Fix rsync subprocess call (#2199 #2179)
* Fixed an error where the template rendering did not work (#2176)
* Fixed some cobbler import errors (#2172)
* Wrong shebang in various scripts (#2148)
* Fix some imports which fixes errors introduced by the remodularization
(#2150 #2153)
– Other:
* Issue Templates for Github (#2187)

– Update to latest git HEAD code base This version (from mainline so for
quite a while already) also includes fixes for “boo#1149075” and
boo#1151875

– Fix for cobbler import and buildiso (boo#1156574)
– Adjusted manpage creation (needs sphinx as BuildRequires)
– Fix cobbler sync for dhcp and dns enabled due to latest module renaming
patches

– Update to latest git HEAD
– Fixes permission denied in apache2 context when trying to write
cobbler log
– Fixes a bad import in import_signature (item)
– Fixes bad shebang bash path in mkgrub.sh (used in post section)

– Now track Github master branch WARNING: This release contains breaking
changes for your settings file!
* Notable changes:
– Now using standard python logger
– Updated dhcpd.template
– Removed fix_shebang.patch: now in upstream.
– added -s parameter to fdupes call to prevent hardlink across partititons

– Update to latest v3.0.0 cobbler release
– Add previouly added patch: exclude_get-loaders_command.patch to the list
of patches to apply.

– Fix log file world readable (as suggested by Matthias Gerstner) and
change file attributes via attr in spec file
– Do not allow get-loaders command (download of third party provided
network boot loaders we do not trust)
– Mainline fixes: 3172d1df9b9cc8 Add missing help text in
redhat_management_key field c8f5490e507a72 Set default interface if
cobbler system add has no
–interface= param 31a1aa31d26c4a Remove apache IfVersion
tags from apache configs

– Integrated fixes that came in from mainline from other products (to calm
down obs regression checker): CVE-2011-4953, fate#312397, boo#660126,
boo#671212, boo#672471, boo#682665 boo#687891, boo#695955, boo#722443,
boo#722445, boo#757062, boo#763610 boo#783671, boo#790545, boo#796773,
boo#811025, boo#812948, boo#842699 boo#846580, boo#869371, boo#884051,
boo#976826, boo#984998 Some older bugs need boo# references as well:
boo#660126, boo#671212, boo#672471, boo#682665 boo#687891, boo#695955,
boo#722443, boo#722445, boo#757062, boo#763610 boo#783671, boo#790545,
boo#796773, boo#811025, boo#812948, boo#842699 boo#846580, boo#869371,
boo#884051

– Fix for redhat_management_key not being listed as a choice during
profile rename (boo#1134588)
– Added:
* rhn-mngmnt-key-field-fix.diff

– Fixes distribution detection in setup.py for SLESo
– Added:
* changes-detection-to-distro-like-for-suse-distributions.diff

– Moving to pytest and adding Docker test integration
– Added:
* add-docker-integration-testing.diff
* refactor-unittest-to-pytest.diff

– Additional compatability changes for old Koan versions.
– Modified:
* renamed-methods-alias-part2.patch

– Old Koan versions not only need method aliases, but also need compatible
responses
– Added:
* renamed-methods-alias-part2.patch

– Add the redhat_managment_* fields again to enable templating in SUMA.
– Added:
* revert-redhat-management-removal.patch

– Changes return of last_modified_time RPC to float
– Added:
* changes-return-to-float.diff

– provide old name aliases for all renamed methods:
– get_distro_for_koan => get_distro_as_rendered
– get_profile_for_koan => get_profile_as_rendered
– get_system_for_koan => get_system_as_rendered
– get_repo_for_koan => get_repo_as_rendered
– get_image_for_koan => get_image_as_rendered
– get_mgmtclass_for_koan => get_mgmtclass_as_rendered
– get_package_for_koan => get_package_as_rendered
– get_file_for_koan => get_file_as_rendered
– Renamed: get_system_for_koan.patch => renamed-methods-alias.patch

– provide renamed method “get_system_for_koan” under old name for old
clients.
– Added:
* get_system_for_koan.patch

– Bring back power_system method in the XML-RPC API
– Changed lanplus option to lanplus=true in fence_ipmitool.template
– Added:
* power_system_xmlrpc_api.patch
– Changed:
* fence_ipmitool.template

– Disables nsupdate_enabled by default
– Added:
* disable_nsupdate_enabled_by_default.diff

– Fixes issue in distribution detection with “lower” function call.
– Modified:
* remodeled-distro-detection.diff

– Adds imporoved distribution detection. Since now all base products get
detected correctly, we no longer need the SUSE Manager patch.
– Added:
* remodeled-distro-detection.diff

– fix grub directory layout
– Added:
* create-system-directory-at-the-correct-place.patch

– fix HTTP status code of XMLRPC service
– Added:
* fix-http-status-code.patch

– touch /etc/genders when it not exists (boo#1128926)
– Add patches to fix logging
– Added:
* return-the-name-of-the-unknown-method.patch
* call-with-logger-where-possible.patch

– Switching version schema from 3.0 to 3.0.0

– Fixes case where distribution detection returns None (boo#1130658)
– Added:
* fixes-distro-none-case.diff

– Removes newline from token, which caused authentication error
(boo#1128754)
– Added:
* remove-newline-from-token.diff

– Added a patch which fixes an exception when login in with a non-root
user.
– Added:
* fix-login-error.patch

– Added a patch which fixes an exception when login in with a non-root
user.
– Added:
* fix-login-error.patch

– Remove patch merged at upstream:
* 0001-return-token-as-string.patch

– change grub2-x86_64-efi dependency to Recommends

– grub2-i386pc is not really required. Changed to recommended to allow
building for architectures other than x86_64

– Use cdrtools starting with SLE-15 and Leap-15 again. (boo#1081739)
– Update cobbler loaders server hostname (boo#980577)
– Update outdated apache config (boo#956264)
– Replace builddate with changelog date to fix build-compare (boo#969538)
– LOCKFILE usage removed on openSUSE (boo#714618)
– Power management subsystem completely re-worked to prevent
command-injection (CVE-2012-2395)
– Removed patch merged at upstream:
* cobblerd_needs_apache2_service_started.patch

– Checking bug fixes of released products are in latest develop pkg:
– remove fix-nameserver-search.fix; bug is invalid (boo#1029276)
-> not needed anymore
– fix cobbler yaboot handling (boo#968406, boo#966622)
-> no yaboot support anymore
– support UEFI boot with cobbler generated tftp tree (boo#1020376)
-> upstream
– Enabling PXE grub2 support for PowerPC (boo#986978)
-> We have grub2 support for ppc64le
– (boo#1048183) fix missing args and location for xen
-> is in
– no koan support anymore: boo#969541, boo#924118, boo#967523
– not installed (boo#966841) works.
– These still have to be looked at: SUSE system as systemd only
(boo#952844) handle list value for kernel options correctly (boo#973413)
entry in pxe menu (boo#988889)
– This still has to be switched off (at least in internal cobbler
versions): Disabling ‘get-loaders’ command and ‘check’ fixed. boo#973418

– Add explicity require to tftp, so it is used for both SLE and openSUSE
(originally from jgonzalez@suse.com)
– Moved Recommends according to spec_cleaner

– Require latest apache2-mod_wsgi-python3 package This fixes interface to
http://localhost/cblr/svc/…
– Use latest github cobbler/cobbler master branch in _service file
– cobblerd_needs_apache2_service_started.patch reverted, that is mainline
now:
– Only recommend grub2-arm and grub2-ppc packages or we might not be able
to build on factory where arm/ppc might not be built
– Remove genders package requires. A genders file is generated, but we do
not need/use the genders package.

– Update to latest cobbler version 3.0 mainline git HEAD version and
remove already integrated or not needed anymore patches.
– Serial console support added, did some testing already Things should
start to work as expected

– Add general grub2 support

– Put mkgrub.* into mkgrub.sh

– Add git date and commit to version string for now

– Add grub2 mkimage scripts: mkgrub.i386-pc mkgrub.powerpc-ieee1275
mkgrub.x86_64-efi mkgrub.arm64-efi and generate grub executables with
them in the %post section

– build server wants explicite package in BuildRequires; use tftp
– require tftp(server) instead of atftp
– cleanup: cobbler is noarch, so arch specific requires do not make sense
– SLES15 is using /etc/os-release instead of /etc/SuSE-release, use this
one for checking also
– add sles15 distro profile (boo#1090205)
– fix signature for SLES15 (boo#1075014)
– fix signature for SLES15 (boo#1075014)
– fix koan wait parameter initialization
– Fix koan shebang
– Escape shell parameters provided by the user for the reposync action
(CVE-2017-1000469) (boo#1074594)
– detect if there is already another instance of “cobbler sync” running
and exit with failure if so (boo#1081714)
– do not try to hardlink to a symlink. The result will be a dangling
symlink in the general case (boo#1097733)
– fix service restart after logrotate for cobblerd (boo#1113747)
– rotate cobbler logs at higher frequency to prevent disk fillup
(boo#1113747)
– Forbid exposure of private methods in the API (CVE-2018-10931)
(CVE-2018-1000225) (boo#1104287) (boo#1104189) (boo#1105442)
– Check access token when calling ‘modify_setting’ API endpoint
(boo#1104190) (boo#1105440) (CVE-2018-1000226)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.2:

zypper in -t patch openSUSE-2021-46=1

Package List:

– openSUSE Leap 15.2 (noarch):

cobbler-3.1.2-lp152.6.3.1
cobbler-tests-3.1.2-lp152.6.3.1
cobbler-web-3.1.2-lp152.6.3.1

References:

https://www.suse.com/security/cve/CVE-2011-4953.html
https://www.suse.com/security/cve/CVE-2012-2395.html
https://www.suse.com/security/cve/CVE-2017-1000469.html
https://www.suse.com/security/cve/CVE-2018-1000225.html
https://www.suse.com/security/cve/CVE-2018-1000226.html
https://www.suse.com/security/cve/CVE-2018-10931.html
https://bugzilla.suse.com/1020376
https://bugzilla.suse.com/1029276
https://bugzilla.suse.com/1048183
https://bugzilla.suse.com/1074594
https://bugzilla.suse.com/1075014
https://bugzilla.suse.com/1081714
https://bugzilla.suse.com/1081739
https://bugzilla.suse.com/1090205
https://bugzilla.suse.com/1097733
https://bugzilla.suse.com/1101670
https://bugzilla.suse.com/1104189
https://bugzilla.suse.com/1104190
https://bugzilla.suse.com/1104287
https://bugzilla.suse.com/1105440
https://bugzilla.suse.com/1105442
https://bugzilla.suse.com/1113747
https://bugzilla.suse.com/1128754
https://bugzilla.suse.com/1128926
https://bugzilla.suse.com/1130658
https://bugzilla.suse.com/1134588
https://bugzilla.suse.com/1149075
https://bugzilla.suse.com/1151875
https://bugzilla.suse.com/1156574
https://bugzilla.suse.com/1159010
https://bugzilla.suse.com/1169207
https://bugzilla.suse.com/1169553
https://bugzilla.suse.com/1169779
https://bugzilla.suse.com/1170462
https://bugzilla.suse.com/660126
https://bugzilla.suse.com/671212
https://bugzilla.suse.com/672471
https://bugzilla.suse.com/682665
https://bugzilla.suse.com/687891
https://bugzilla.suse.com/695955
https://bugzilla.suse.com/714618
https://bugzilla.suse.com/722443
https://bugzilla.suse.com/722445
https://bugzilla.suse.com/757062
https://bugzilla.suse.com/763610
https://bugzilla.suse.com/783671
https://bugzilla.suse.com/790545
https://bugzilla.suse.com/796773
https://bugzilla.suse.com/811025
https://bugzilla.suse.com/812948
https://bugzilla.suse.com/842699
https://bugzilla.suse.com/846580
https://bugzilla.suse.com/869371
https://bugzilla.suse.com/884051
https://bugzilla.suse.com/924118
https://bugzilla.suse.com/952844
https://bugzilla.suse.com/956264
https://bugzilla.suse.com/966622
https://bugzilla.suse.com/966841
https://bugzilla.suse.com/967523
https://bugzilla.suse.com/968406
https://bugzilla.suse.com/969538
https://bugzilla.suse.com/969541
https://bugzilla.suse.com/973413
https://bugzilla.suse.com/973418
https://bugzilla.suse.com/976826
https://bugzilla.suse.com/980577
https://bugzilla.suse.com/984998
https://bugzilla.suse.com/986978
https://bugzilla.suse.com/988889